function BlockXssTest::doViewTest

Same name in other branches
  1. 9 core/modules/block/tests/src/Functional/BlockXssTest.php \Drupal\Tests\block\Functional\BlockXssTest::doViewTest()
  2. 8.9.x core/modules/block/tests/src/Functional/BlockXssTest.php \Drupal\Tests\block\Functional\BlockXssTest::doViewTest()
  3. 10 core/modules/block/tests/src/Functional/BlockXssTest.php \Drupal\Tests\block\Functional\BlockXssTest::doViewTest()

Tests XSS coming from View block labels.

1 call to BlockXssTest::doViewTest()
BlockXssTest::testBlockXss in core/modules/block/tests/src/Functional/BlockXssTest.php
Tests various modules that provide blocks for XSS.

File

core/modules/block/tests/src/Functional/BlockXssTest.php, line 104

Class

BlockXssTest
Tests that the block module properly escapes block descriptions.

Namespace

Drupal\Tests\block\Functional

Code

protected function doViewTest() : void {
    // Create a View without a custom label for its block Display. The
    // admin_label of the block then becomes just the View's label.
    $view = View::create([
        'id' => $this->randomMachineName(),
        'label' => '<script>alert("view1");</script>',
    ]);
    $view->addDisplay('block');
    $view->save();
    // Create a View with a custom label for its block Display. The
    // admin_label of the block then becomes the View's label combined with
    // the Display's label.
    $view = View::create([
        'id' => $this->randomMachineName(),
        'label' => '<script>alert("view2");</script>',
    ]);
    $view->addDisplay('block', 'Fish & chips');
    $view->save();
    $this->drupalGet(Url::fromRoute('block.admin_display'));
    $this->clickLink('Place block');
    // \Drupal\views\Plugin\Derivative\ViewsBlock::getDerivativeDefinitions()
    // has a different code path for an admin label based only on the View
    // label versus one based on both the View label and the Display label.
    // Ensure that this test is covering both code paths by asserting the
    // absence of a ":" for the first View and the presence of a ":" for the
    // second one. Note that the second assertion is redundant with the one
    // further down which also checks for the Display label, but is included
    // here for clarity.
    $this->assertSession()
        ->assertNoEscaped('<script>alert("view1");</script>:');
    $this->assertSession()
        ->assertEscaped('<script>alert("view2");</script>:');
    // Assert that the blocks have their admin labels escaped and
    // don't appear anywhere unescaped.
    $this->assertSession()
        ->assertEscaped('<script>alert("view1");</script>');
    $this->assertSession()
        ->responseNotContains('<script>alert("view1");</script>');
    $this->assertSession()
        ->assertEscaped('<script>alert("view2");</script>: Fish & chips');
    $this->assertSession()
        ->responseNotContains('<script>alert("view2");</script>');
    $this->assertSession()
        ->responseNotContains('Fish & chips');
    // Assert the Display label doesn't appear anywhere double escaped.
    $this->assertSession()
        ->responseNotContains('Fish & chips');
    $this->assertSession()
        ->responseNotContains('Fish &amp;amp; chips');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.